Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

In this 3-part webcast series, SANS instructors and industry experts bring you technical, to-the-point advice on providing secure, controlled access to remote users. From the mobile user to the branch office employee to the unmanaged endpoint, you'll learn security considerations and best practices. View part 1 now "The Mobile User - Secure Access from Anywhere (even the Home PC!)http://www.sans.org/info.php?id=1132 *************************************************************************

TOP OF THE NEWS

Mac OS X, Safari Security Threats on the Rise (1 May/30 April 2006)

As more threats against Macintosh computers emerge, there is a growing realization that Mac users are no longer immune to cyber attacks. Seven new flaws in Mac OS X were recently reported; Apple plans to address these in its next update. Furthermore, the SANS Institute's Top-20 Internet vulnerabilities added Mac OS X for the first time in 2005; the updated list, out this week, includes flaws in Apple's Safari web browser that were exploited before Apple was able to fix them. Rohit Dhamankar, who edits the @RISK newsletter for SANS, said "the number of vulnerabilities in the Mac OS has certainly increased in the last six-month period." -http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/05/01/BUGK7IHGOC1.DTL&amp;type=printable-http://www.msnbc.msn.com/id/12537279/

Pending Law in Georgia Could Mean Jail Time for Forensic Computer Consultants Who Testify in Court (24 April 2006)

Georgia's HB 1259, which has the approval of state legislature but not the Governor's signature, would require private investigators (PIs) in the State of Georgia to be licensed. The law is broadly written and could be interpreted to include most computer forensics and incident response experts. It is possible under the new law that computer security experts would need a PI license to testify in court or face felony charges. -http://www.securityfocus.com/columnists/399[Editor's Note (Schultz): I have for quite a while been concerned about the number of people who claim to be "forensic computer experts" without credentials that appear to be genuine. At the same time, however, I doubt whether requiring that people who serve as expert computer forensics witnesses in court cases to have a PI license will do much if any good in weeding out imposters.]************************ Sponsored Links: *******************************

The National Institute of Standards and Technology (NIST) has released Special Publication 800-92: Guide to Security Log Management. The draft guidelines address log generation, transmission, storage, analysis and disposal. They offer suggestions for creating a log management policy and creating a centralized log management infrastructure. -http://www.fcw.com/article94229-04-28-06-Web-http://csrc.ncsl.nist.gov/publications/drafts/DRAFT-SP800-92.pdf[Editor's Note (Boeckman): This is a good document. System logs are still a very valuable component of intrusion and misuse detection. I hope this will help analysts make better use of log data. ]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

RIAA and MPAA Ask University Presidents for Help in Fighting Piracy (27 April 2006)

The Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA) have sent letters to 40 US university presidents informing them of problems with pirated digital content on their schools' local area networks (LANs) and asking they take action to halt the copyright violations. The RIAA and the MPAA say students are trading files across school LANs rather than sending them over the Internet. LANs in universities often serve tens of thousands of people. -http://news.com.com/2102-1025_3-6066118.html?tag=st.util.print

BSA Ups Maximum Reward for Tips About Unlicensed Software Use at UK Businesses (27/26 April 2006)

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Proof-of-Concept Code Released for Unpatched IE Hole (28 April 2006)

Proof-of-concept exploit code for an unpatched hole in Microsoft's Internet Explorer (IE) has been published. The flaw could allow attackers to run unauthorized code on Windows machines. The flaw affects only older versions of Windows; the most recent versions of Windows and Windows Server 2003 are unaffected. Also, to exploit the hole, attackers would need to trick users into performing a series of unusual actions. Microsoft has issued a statement explaining that "significant mitigating factors" are sufficient reason to address the flaw in an upcoming service pack instead of a security update. -http://ww6.infoworld.com/products/print_friendly.jsp?link=/article/06/04/28/77853_HNsecondbug_1.html

Stolen Aetna Laptop Contains Data on 38,000 Members (27 April 2006)

Aetna Insurance has acknowledged that a laptop computer stolen from an employee's car contains personal data belonging to approximately 38,000 members. Those affected are employees of two companies who asked not to be named until all of their affected employees are informed of the laptop's theft and its implications. Aetna plans to send letters to inform all those affected. Aetna said the employee who left the computer in the car was not following company policy. -http://news.zdnet.com/2102-1009_22-6066078.html?tag=printthis[Editor's Note (Honan): HONAN - This is getting ridiculous! Each week we hear of companies losing sensitive information on mobile media. What will it take to get the message across? If you store sensitive information on any mobile device make sure it is secured properly and the data is encrypted. ]

MISCELLANEOUS

CD-ROMs given to various political campaign operations in Ohio apparently contain the Social Security numbers (SSNs) of as many as 7.7 million registered voters in the state. The Ohio secretary of state's office was alerted to the situation by one of the campaigns. All the campaigns have been contacted and have agreed to return the disks in exchange for disks without the SSNs. The campaign groups use the data on the CDs for phone canvassing and other political activities. Data privacy is not a new issue for the Ohio government; last month, a man sued the state of Ohio for posting his and others' SSNs on public record web sites. Ohio does have a security breach notification law that would require residents to be informed "if unencrypted or unredacted personal information about those individuals ... included in computerized data owned or licensed by [an ] agency, person or business entity is accessed and acquired by unauthorized persons" as long as the disclosure "causes or is reasonably believed [to ] create a material risk of the commission of the offense of identity fraud or other fraud to the individual." -http://www.computerworld.com/printthis/2006/0,4814,110983,00.html===end===

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/